FIG. 1 illustrates a retail payment system for conducting purchase transactions and effecting payment for them using credit cards, debit cards, or other kinds of payment instruments. In the diagram of FIG. 1, a number of consumers 101-104 make purchases at a number of merchants 105-107. Each consumer makes payment using a payment instrument issued by one of issuers 108-110.
Each consumer has a pre-existing relationship with the issuer of the payment instrument being used. The issuer is typically a bank. The bank may extend credit to the consumer, against which the consumer makes purchases with a credit card. In this case, the consumer periodically pays the bank for the purchases, often with funds drawn on a different bank (not shown). Or the bank may hold funds in a debit account and the consumer may make purchases using funds in the account using a debit card.
In a typical credit card transaction, the consumer presents the card to the merchant at a point of sale. The merchant reads account information from the card, often by “swiping” the card through a point of sale (POS) terminal. The POS terminal transmits the account information along with details about the transaction through one of payments networks 111 or 112 to the issuer of the card (or a processing company hired by the issuer) for transaction approval. The transaction details include at least the amount of the proposed transaction, and may include other information to be described later. Usually, the issuer verifies that the consumer has sufficient credit to make the purchase, and transmits the approval back through the payments network to the merchant. For most credit card transactions, the consumer is asked to sign a document at the time of purchase, as a way of authenticating the consumer as the rightful account holder and not someone attempting to make a fraudulent purchase.
A typical debit card transaction proceeds a way similar to a credit card transaction. Often for debit cards, authentication of the consumer is done by way of a personal identification number (PIN) entered by the consumer, rather than using a signature.
More detail about payments networks and payment transactions may be found in pending U.S. patent application Ser. No. 11/055,028 of Rogers et al. and entitled “Methods and systems of processing transactions”, the entire disclosure of which is incorporated by reference herein.
Consumer authentication as so far described is based on secret information shared between the issuer and the consumer. For example, in one authentication scheme, when a new credit card is issued, the consumer provides some confidential information, such as the consumer's address, phone number, social security number or other government identification number, or other information. The new card is mailed to the consumer's home, and the consumer is required to call the issuer from the consumer's home phone number to “activate” the card. The consumer also signs the card. These steps help ensure that the signature on the back of a credit card is that of the rightful account holder, as the rightful account holder is the only person likely to be able to receive the card at the consumer's home address and use the consumer's home phone to activate the card. The consumer's signature can then be compared at a point of sale with the signature on the card as a way of verifying that the consumer is also the rightful holder of the card account.
Similarly, a PIN is typically set up for a debit card at the time the debit card is issued, using similar security measures.
Payments networks such as networks 111 and 112 route the communications between merchants and issuers based on information read from the payment instruments. A payments network is an infrastructure that supports the exchange of data in implementing payment transactions. The diagram of FIG. 1 is greatly simplified. In actuality there are roughly dozens of payment networks, hundreds of issuers, thousands of merchants, and millions of consumers. Without these payments networks, each merchant would need a relationship with each issuer whose instruments the merchant wished to accept, and the task of managing transaction approvals would be very burdensome for the merchants. Using payments networks, each merchant need only have a relationship with one or at most a few payments networks. Not all issuers use all networks, and not all merchants accept cards serviced by all networks. Well-known payments networks in operation today include Visa®, MasterCard®, and others used mainly in credit card transactions, and NYCE®, Star®, and others used mainly in debit transactions.
As it has been described so far, a payments network is simply a “pipe” that transfers information back and forth between a merchant and an issuer. The payments network does not have any secret information about the consumer, and takes no part in authenticating the consumer or approving a transaction. The information transmitted by the payments network includes only information about the proposed transaction; it is up to the merchant and the issuer to ensure that the consumer is the rightful account holder.
With the advent of electronic commerce, other complications arise. For example, when a consumer purchases by phone or online, the merchant has no way to verify a signature on a credit card because the consumer is not present in person at the merchant location. Such transactions carry more risk for the merchant than in-person transactions. Some merchants may decline to make certain sales rather than accept the risk. The merchant may miss out on many legitimate sales, and consumers are inconvenienced because they are denied the opportunity to purchases items in the way they wish to.
One solution to the problem of authentication of purchasers in an Internet transaction is for the payments network to offer a verification service for cards or other payment instruments. In this arrangement, the rightful user of a particular card chooses a password that must be supplied whenever the card is used in a transaction where the card is not physically present. The password is known to the payments network or to an issuer processor audited and approved by the payments network, which then requires the password to be given when a transaction is attempted. When the correct password is given during a transaction, all parties have increased confidence that the purchaser is the rightful cardholder, assuming that the rightful person chose the password to start with. In light of this confidence, the payments network shifts the risk of any fraudulent transactions from the merchant to the issuer. Merchants are free to accept verified cards by phone or Internet without worry, and consumers and issuers are confident that if a card is lost of stolen, the card will not be used to make fraudulent purchases because the finder or thief will not know the password.
The success of a card verification service relies on the fact that the rightful cardholder is the one who chose the password. During a consumer's initial enrollment in the card verification service, it is therefore necessary to authenticate the cardholder applying for enrollment. Previously, this was done in cooperation with the issuer of the card. That is, the payments network administrator requested some secret information from the issuer about a particular cardholder, and then required that a cardholder attempting to register a particular card in the service supply the same secret information before enrollment could be completed. The secret information may include the cardholder's home telephone number, part of the consumer's social security number, or other similar information. This level of cooperation requires significant interaction between the issuer and the payments network. Furthermore, this method of authentication undesirably spreads the consumer's secret information to the payments network or other processors, who previously had no need of it.
Electronic commerce also presents new opportunities. For example, systems are being developed for mobile commerce. In a mobile commerce system, a consumer may carry a “digital wallet”, which stores credit card information and various other purchasing credentials on a portable electronic device such as a cellular telephone. If a particular card issuer has implemented systems compatible with mobile commerce, consumers may be able make purchases, query their account balances or available credit, make payments, and perform other financial tasks conveniently with one mobile device. A payments network may wish to provide services that enable mobile commerce, even though some card issuers may not implement systems compatible with mobile commerce. For example, a payments network may accept a mobile commerce account balance query from a consumer, send a query through traditional channels to the card issuer, receive the requested information from the card issuer through traditional channels, and then pass the information to the consumer via mobile commerce.
More detail about various systems and methods for conducting mobile commerce may be found in co-pending U.S. patent application Ser. No. 11/830,459 of Arthur et al. and entitled “Payments using a mobile commerce device”, the entire disclosure of which is incorporated by reference herein.
Of course, before enrolling a particular consumer in such a service relating to a particular account, the payments network will need to authenticate the applicant for enrollment as the rightful account holder. As is described above, authenticating an applicant by a payments network has traditionally required the cooperation of the issuers. Because there are many card issuers, the task of setting up the new service may be formidable.